Thursday, September 26, 2013

ICMC: The Upcoming Transition to New Algorithms and Key Sizes

Presented by Allen Roginsky, Kim Schaffer, NIST.

There are major things we need to be concerned about – we need to move from
old, less secure algorithms to the new ones. This includes the transition to 112-bit
strong crypto and closing certain loopholes in old standards

The algorithms will fall into the following classes:

Acceptable (no known risks of use)

Deprecated (you can use it, but you are accepting
risk by doing so)

This is a temporary state

Restricted (deprecated and some additional restrictions apply)

Legacy-Use (may only be usd to process
already-protected information)

Disallowed (may not be used at all)

And of course, these classifications can change at any time. As you all know, the crypto algorithm arena
is ever changing.I asked a question
about the distinction between Legacy-Use and disallowed.It seems to me that you might find some old
data laying around that you’ll need to decrypt at a later date.Mr. Roginsky noted that they didn’t really
cover this when they did the DES transition, and you might be okay because
decrypting is not really “protecting” data.

When we get to January 1, 2014, 112-bit strength is required.Two-key 3DES is restricted through 2015.
Digital signatures are deprecated though 2013 if they aren’t strong enough. This is an example where you could continue
to use them for verification under “Legacy-Use” when we reach 2014.

Non SP-800-90A RNGs are disallowed for use after 2015 – you won’t even be
able to submit a test report after December 31, 2013 if you don’t have an
SP-800-90A RNG.

There is a new document everyone will want to review: SP 800-38 – it explains
the use of AES and 2Des for key wrapping.

SHA-224, 256, 384, 512 are all approved for all algorithms. SHA-1 is okay,
expect for digital signature generation. There are other changes around MACs
and key derivation.

We’ll also be transitioning from FIPS 186-2 to FIPS 186-3/4.Conformane to 186-2 can be tested through
2013.Already validated implementations will
remain valid, subject to the key strength requirements.Only certain functions (such as parameter
validation, public key validation and signature verification) will be tested
for 186-2 compliance after 2013.What this
really means is that some key sizes are gone” after 2013: RSA can only use 2048
and 3072 keys.

Make sure you also read Implementation Guidance (IG) 7.12: RSA signature
keys need to be generated as in FIPS 186-3 or X9.31.